Method for preserving privacy of a reputation inquiry in a peer-to-peer communication environment

ABSTRACT

A method for preserving privacy of a reputation inquiry in a peer-to-peer communication environment. The method allows peers using their own personal agents to obtain reputation information of each other through a pair of trustworthy mediator proxies. A mediator proxy is considered trustworthy if even when it is compromised it can guarantee three conditions: (1) the anonymity of the identity of the responders and the target being inquired; (2) the privacy of the content in an inquiry and a response; and (3) the boundary limit of the reputation summary with no possibility of combining the response of multiple inquiries to reverse engineer the reputation rating of an individual responder.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims priority to and the benefit of U.S. provisionalpatent application Ser. No. 61/004,407, filed Nov. 27, 2007, whichapplication is incorporated herein by reference in its entirety.

FIELD OF THE INVENTION

The embodiments of the present invention relate to a method for areputation inquiry, and more particularly, the embodiments of thepresent invention relate to a method for preserving privacy of areputation inquiry in a peer-to-peer communication environment.

BACKGROUND OF THE INVENTION

Reputation systems have been studied across a number of diversedisciplines. For example, the user feedbacks posted after the completionof a transaction in ebay is perhaps one of the most well knownreputation systems. Reputation in ebay is simply a function of thecumulative positive and non-positive ratings for a seller or a buyerover the history of being an eBay member. As pointed out elsewhere, oneof the most noticeable effects, so called Pollyanna-effect, is thedisproportional large number of positive feedbacks and rare negativefeedbacks. The Pollyanna-effect is particularly evident on eBay. Publicdisclosure of rating and rater information is one of the many factorsattributing to eBay's Pollyanna-effect. There are also studies on thevulnerability of a reputation system and the risk of misbehavior becauseof the lack of reputation consequence. For example, Sybil attack is notuncommon in an environment when a participant in the reputation systemcan easily create multiple identities.

There are many applications to the reputation inquiry just described,e.g., reputation-based network security and reputation-based medicalreferral. For example, a patient may want to know the reputation of aphysician from, for example, other participants in an online blog. Thepatient could post the reputation inquiry on the online blog and hopethat those who have been treated by the physician could offer usefulfeedbacks on the physician. In a typical online blog, all participants,including the physicians, can see all the postings of each other.Consequently, the alias identity of the patient, the feedback providers,and the reputation feedback are now all exposed to the public andsubject to manipulation, e.g., the physician could create an aliasidentity and enter biased feedback for himself/herself.

One of the challenges when constructing a reputation system is inestablishing the system's trustworthiness and managing the risk ofundesirable bias introduction. Consider party P1 solicits an opinionabout party P2 from parties P3 and P4 (the referees with regard to theinquiry about P2), and party P4 solicits an opinion about party P3 fromparty P2 (the referees with regard to the inquiry about P3). If thesesolicitations are held in public, parties P2 and P3 will each know thatthe other party is being solicited for feedbacks. Consequently, bothparties may artificially inflate/deflate their opinion about each otherin exchange for a favor/revenge, thus introducing undesirable bias. Whenthis happens, the integrity of the reputation inquiry is compromised andits trustworthiness becomes questionable.

Clearly, the success of a reputation inquiry depends on its ability toguarantee the privacy of each party on expressing its opinion about eachother. A commonly encountered strategy is to introduce a mediator proxy(see FIG. 1) to achieve a double-blind process. In doing so,administrative policy is required to verify that the mediator proxymaintains the confidentiality of the information flowing through it. Thecompliance of the policy, however, may not be enforceable and itssuccess relies on the voluntarily participation of the parties. Forexample, the eBay feedback system is one such case, which relies onvoluntarily participation of the buyers and sellers.

Even if voluntarily participation exists, there can be a privacy leakfrom the mediator proxy. Note that in a traditional double-blindprocess, the mediator proxy has the information about the identity ofthe inquirer (party P1), the identity of the target (party P2), and theidentities of the referees (parties P3 and P4). If there is a securitybreach on the mediator proxy, then the privacy of all parties in theabove example is compromised. The mediator proxy could be compromiseddue to, for example, passive sniffing by the peers on the communicationchannel between the mediator proxy and the inquirer/referee(s), or alegal or illegal interception of the communication channel by anintruder/authority.

Two main approaches are typically encountered in regard to protectingthe identity of participating parties, namely, store-and-forward proxy,and broadcasting. An example of a store-and-forward proxy approach isthe Publius system relying on encryption and threshold key distributedto a static, system-wide list of servers to protect identity of apublisher. Broadcasting as discussed elsewhere, on the other hand,protects identity of a responder. Personal privacy protocol (“P⁵”)provides mutual—inquirer and responder—anonymity through transmitting aninquiry and a response to a broadcast group, as opposed to an individualparty.

For protecting the privacy of the inquiry content and response,k-anonymity and cryptographic application are two general conceptscommonly encountered. The basic idea behind k-anonymity is to introducepoly-instantiation so that an entity value is indistinguishable from(k−1) other objects assuming the same value. Exemplary privacypreserving techniques based on k-anonymity could be found elsewhere.Cryptographic application to privacy preserving has ranged from applyingstandard encryption techniques and PKI for protecting the “secrets” ofthe inquiry content and response, to creating a dining cryptographernetwork, such as Herbivore. A certain trust assumption is made in thecryptographic application to privacy preserving communication,particularly, the trustworthiness of the parties involved in thecommunication process. The embodiments of the present invention could beconsidered as one kind of cryptographic application to privacypreserving communication but with a provable privacy assurance similarto that of Herbivore.

The prior art generally fails to provide adequate privacy protection.Reputation inquiry without privacy protection is vulnerable to thePollyanna effect. The Pollyanna effect, as exemplified in eBay, is adisproportional large number of positive feedbacks and rare negativefeedbacks. Public disclosure of the rating and the rater information isone of the many factors attributed to the Pollyanna effect. As such, the“true value” of a reputation rating in such an environment becomesdifficult to discern.

The prior art that utilizes the broadcasting approach opens itself tothe possibility of establishing direct communication to the inquirer.Broadcasting approach to achieve identity anonymity typically relies onsome kind of proxy to broadcast the inquiry to responders. If theresponders reply directly to the inquirer, the identity of theresponders is exposed, thus entailing a privacy leak. If the respondersreply via the proxy, such as a personal privacy protocol P⁵, the proxybecomes the central point entailing the risk of a privacy leak. It isbecause the proxy will know the identity and the content of theinquirer, as well as the identity and the response of the responders.Although protocols relying on broadcasting provide some degree ofidentity anonymity, they are typically not sufficient to prevent aprivacy leak. This is particularly so in an environment allowing aninquirer to construct an arbitrary reputation inquiry. For example, aninquirer constructs a query inquiring about one specific individual andtargets at one specific responder. In doing so, the privacy of thereputation rating of a responder on the specific individual is no longerprotected, even if broadcasting and encryption are employed.

The prior art that utilizes k-anonymity does not even attempt to protectthe content of a response. K-anonymity introduces poly-instantiation sothat an entity value is indistinguishable from (k−1) other objectsassuming the same value, e.g., K entities assuming the same ID number sothat the ID number could not be used to reverse-identify an individualentity without ambiguity. K-anonymity only protects the privacy of theinquirer and responders through broadcasting. It does not protect thecontent confidentiality unless technology, such as cryptography, isapplied. While cryptographic application protects the contentconfidentiality, infrastructure for encryption and decryption keymanagement and distribution is required. Key management and distributionare particularly difficult in a P2P environment because of its dynamicnature where peers could come and go anytime, and do not know eachother.

Thus, it is an object of the embodiments of the present invention toprovide a method for preserving privacy of a reputation inquiry in apeer-to-peer communication environment, which avoids the disadvantagesof the prior art.

Briefly stated, another object of the embodiments of the presentinvention is to provide a method for preserving privacy of a reputationinquiry in a peer-to-peer communication environment. The method allowspeers using their own personal agents to obtain reputation informationof each other through a pair of trustworthy mediator proxies. A mediatorproxy is considered trustworthy if even when it is compromised it canguarantee three conditions: (1) the anonymity of the identity of theresponders and the target being inquired; (2) the privacy of the contentin an inquiry and a response; and (3) the boundary limit of thereputation summary with no possibility of combining the response ofmultiples inquiries to reverse engineer the reputation rating of anindividual responder.

SUMMARY OF THE INVENTION

An inquirer (or agent acting on behalf of the inquirer) decides he/shewants to know what a first party (e.g. “P3”) thinks about a second party(e.g. “P2”). P3, like all parties in the peer-to-peer environment, has arating score for P2, but it is only P3's rating score that the inquireris interested in. An inquiry vector is generated by linearly combiningtwo or more queries. This linear combination masks the question about P2such that a key (set by the inquirer) is needed to re-combine the twoqueries. The vector is sent to an inquiry handler who sends it on to P3and P4 and whoever else is in the system. In this fashion, P3 remainsunaware that it is the responder of interest and none of the respondersknow the identity of the inquirer. In some embodiments, an agent handlesthe transfer of the vector from the inquirer to the inquiry handler.Every party in the peer-to-peer environment who receives the vectorraises each of the elements in the vector by a power equal to theirrating scores for that element. Thus, P3 is not aware that it is theopinion about P2 that is specifically being targeted. Each individualparty sends a response to a response handler who summarizes theresponses and then relays the reply back to the inquirer (or an agent).The response handler may add random noise to the summary response. Theresponse handler was told, by the inquiry handler, where to send theresponse. Once the inquirer receives the summary report, the key is usedto re-combine the (now raised by some power) queries. Those querieswhich do not pertain to P2 cancel, leaving only data about P2. In someembodiments, an agent decodes the summary response and sends only thedata that pertains to the inquiry to the inquirer.

BRIEF DESCRIPTION OF THE DRAWINGS

The present invention is disclosed with reference to the accompanyingdrawings, wherein:

FIG. 1 is a diagrammatic delineation describing the relative knowledgeof each of the parties;

FIG. 2 is a diagrammatic delineation of the privacy preserving protocolof the embodiments of the present invention;

FIG. 3 is a tabulation of the boundary interval of response; and

FIG. 4 is a tabulation of the cumulative threat of responders.

FIG. 5 is a diagrammatic delineation of an agent assistant reputationinquiry embodiment of the present invention; and

FIGS. 6A to 6F are a flowchart of the method for preserving privacy of areputation inquiry in a peer-to-peer communication environment of theembodiments of the present invention.

Corresponding reference characters indicate corresponding partsthroughout the several views. The examples set out herein illustrateseveral embodiments of the invention but should not be construed aslimiting the scope of the invention in any manner.

DETAILED DESCRIPTION OF A SPECIFIED EMBODIMENT

The embodiments of the present invention present the protocol of anagent assistant approach to achieve privacy preserving reputationinquiry via a pair of mediator proxies—referred to as an inquiry handlerand a response handler. Fields where the subject invention findsparticular utility includes IT (Information Technology) security andfinancial/credit rating services.

While the embodiments of the present invention utilize standardcryptographic application and broadcasting to achieve inquirer-responderanonymity and content confidentiality, the invention is distinguishedfrom the prior art in at least three aspects.

First, at least two mediator proxies are introduced to achieve a“separation of duty.” Specifically, a first mediator proxy (inquiryhandler) receives the inquiry, and a second mediator proxy (responsehandler) receives inquiry responses from responders. The first mediatorproxy relays it to all participating parties so that each of the mresponders become indistinguishable from the remaining n−m participantsin a peer-to-peer environment, thus achieving the k-anonymity forprivacy preserving and content confidentiality, which overcomes anydisadvantage existing in the prior art. Importantly, the mediatorproxies do not get involved in the encryption process. Therefore, themediator proxies have no access to the information about the identity ofthe responder(s), which is protected in the encrypted inquiry. Thisprovides the distinct advantage of providing an additional layer ofprivacy protection due to the encryption of the responder identity intothe inquiry vector, which overcomes another disadvantage existing in theprior art. Furthermore, the mediator proxies are completely trustworthy.As the phrase is used in this specification, a mediator proxy isconsidered trustworthy if, even when it is compromised, it can guaranteethree conditions: (1) the anonymity of the identity of the respondersand the target being inquired; (2) the privacy of the content of aninquiry and a response; and (3) the boundary limit of the reputationsummary with no possibility of combining the response of multipleinquiries to reverse engineer the reputation rating of an individualresponder.

Second, a data structure hashing the identity of peers is applied toencode a “position reference” for each trusted peer referee into aunique index of an inquiry vector. Homomorphic encryption is thenapplied to the inquiry. The advantage of homomorphic encryption is itsmathematical property allowing a responder to respond directly. In otherwords, a responder could respond to the encrypted inquiry without theinquirer sharing the decryption key, which is typically required toreveal the inquiry content. This overcomes the disadvantage about thenecessity of an infrastructure for encryption/decryption key managementand distribution.

Third, the embodiments of the present invention enable the mediatorproxy handling the response to introduce an acceptable random noise toan encrypted response and introduce a personal agent to relay only the“need-to-know” response. Consequently, even if an inquirer crafts aninquiry with an attempt to compromise the privacy of a responder,reverse engineering the specific response of a specific responder wouldnot be successful, which overcomes still another disadvantage of theprior art.

To facilitate its description, the invention will be described in thecontext of a hypothetical, four-party scenario. It should be understoodthat this description is for illustrative purposes only and should notbe construed to limit the invention. Generally, given n participants ina reputation system, each party wants to know the reputation of eachother. When party P1, is interested in the reputation of party, P2, thenparty P1 will select m “trusted colleagues” from the group of nreferees. These “trusted colleagues” are individualized referees forproving feedbacks about party P2. The reputation of party P2, based onthe m(<n) referees selected by party P1, is derived based on theboundary limit of a linear sum of the weighted numerical scores of mreferees.

In the present hypothetical scenario, assume there are four parties P1,P2, P3, and P4, i.e., n=4. Party P1 (the inquirer) wants to know aboutthe reputation of party P2 (the target party). Each of the parties has arating score concerning each of the other parties. The target party doesnot know the inquirer is asking about him/her, and the target partycertainly does not know from whom the inquirer will solicit the opinion.From the inquirer's perspective, he/she has the choice of asking onlyparty P3(m=1) or P4(m=1) or both (m=2). In each of these three cases,parties P3 and P4 do not know that the solicitation is from theinquirer. The precise information that is being retrieved is hidden fromP3 and P4 such that they do not know that the inquirer is asking aboutthe target party (P2).

To prevent data from being compromised several procedures are used,namely, (1) algebraic transformation of an intended inquiry incombination with an enhanced homomorphic encryption satisfying E(k,m1+m2)=E(k,m1)E(k,m2), and [E(k,m)]^(c)=E(k,mc), where k is anencryption key, and the addition, product, and exponent are standardarithmetic operators, and (2) employing at least two mediator proxies toachieve separation of duty;

Algebraic Transformation and Homomorphic Encryption

For example P1 may define an inquiry 2×SC+3×SD, where SC and SD are therating about P2 by P3 and P4, respectively. Instead of encrypting andposting the inquiry directly, two queries are composed in such a waythat some linear combination of the two queries results in thecancellation of all terms except the weighting factors for SC and SD.For example, consider the following two inquiry vectors relating to theoriginal inquiry in form of IV₂−2×IV₁:IV₁=(2.3 4.2 1.3 2.4 9.6 2.7 8.3 7.6 2.9 6.6 3.2 4.3 5.1 9.9 1.72.4)^(T)IV₂=(4.6 8.4 2.6 4.8 19.2 5.4 16.8 15.2 5.8 15.2 6.4 8.6 10.2 22.8 3.44.8)^(T)

In the above example, each of the elements of IV₂ is double thecorresponding element in IV except for the tenth and fourteen elements.When a decryption function is applied such that the two vectors arecombined linearly in accordance with the original encryption functionthen all elements, except for the tenth and fourteen, are canceled andthe original weighting factors of SC and SD (2.0 and 3.0 respectively)are obtained. The aforementioned example is a simple linear combination(the values of the elements were multiplied by two), but exponentialencryption for the elements in the linear combination is also possible.

In some embodiments of the present invention, instead of using theexponential encryption k^(m), an enhanced version of homomorphicencryption takes the form of E(k,a,m)=k^(am), where (k, a) areencryption keys and m is the message to be encrypted. Suppose twodifferent encryption keys (k1=2.92, a1=3.1) and (k2=3.29, a2=2.9) areused for I_(V1) and I_(V2), respectively, the encrypted inquiry vectorswill appear to have no regular patterns among the numbers in thevectors.

Let E(2.92,3.1,R^(IV1)) and E(3.29,2.9,R^(IV2))² be the encryptedresponse vectors for IV₁ and IV₂, respectively, and rnd1 and rnd2 arethe corresponding random noise. The following linear combination allowsthe reconstruction of the boundary limit for the summary response to theoriginal inquiry (2×SC+3×SD):Σ_(i=10,14) Log_(3.29)(E(3.29,2.9,R^(IV2))_(i))/2.9−2·[Log_(2.92)(E(2.92,3.1,R^(IV1))_(i))/3.1]=(2·SC+3·SD)+(2·SC·rnd1+3·SC·rnd2)

In general, an inquiry on the reputation of a party from a group ofreferees can be decomposed into queries of which some linear combinationresults in the original inquiry.

A Pair of Mediator Proxies to Achieve Separation of Duty

The inquirer sends an encrypted inquiry to one mediator proxy—referredto as the inquiry handler. The inquiry handler receives the encryptedinquiry and distributes it to the responding parties. The other mediatorproxy—referred to as the response handler—receives encrypted responsefrom the other parties and transmits the responses to the originalinquirer. In addition, the inquiry handler also informs the respondingparties about the identity of the response handler as well as thelocation to which the response handler should send the summary response(i.e. the inquirer).

Description of Process

Each party (Pi) maintains an n×1 (n≧i) vector (R^(Pi)) storing therating score of each peer with the i^(th) entry being 0 (because anindividual entity does not rate itself). Each party also has access to afirst function (make_RV) that constructs the rating vectors as well asaccess to a second function (make_Response) that constructs a vectorthat includes the response. These two functions are further described asfollows:make_RV(R ^(Pi) ,i)=T _(i) ×R ^(Pi)where T_(i) is a transformation matrix of size n²×n for mapping R^(Pi)of size n×1 to rating vector V^(Pi) of size n²×1 with zero padding, andT_(i) ^(T)=[Z_(n×n(i−1)) I_(n×n) Z_(n×n(n−i))] is composed of a zeromatrix of size n×n(i−1), an identity matrix of size n×n, and anotherzero matrix of size n×n(n−i)make_Response(V^(Pi), IV^(Pk))=Π_(j=1) ^(n×n)(k ^(mj))^(vj)

vj is j^(th) entry in the V^(Pi), and k^(mj) is the j^(th) entry inIV^(Pk)

Using the make_Response function, each peer responder generates theresponse by raising each element of each encrypted inquiry vector to thepower of the rating score.

Inquirer Pi defines the target party Pj, the set of “trusted peerreferees” Ri_j={Pk|Pk is a referee selected by Pi to offer an opinion onPj}, and a weighting factor wj_k associated with each Pk in Ri_j. Inother words, the reputation inquiry (on Pj), denoted by RI_(Pj), can bemathematically represented by a n²×1 vector with the n(k−1)+j entrybeing wj_k, and all other entries being zero, where Pk ε Ri_j, and n isthe number of peers in the reputation system environment.

Denoting the number of referees in Ri_j by |Ri_j|, the inquirer composes|Q| numbers of elements Q₁ . . . Q_(|Q|) satisfying one condition; thereexists a linear combination Σ_(i=1) ^(|Q|)a_(i)Q_(i)=RI_(Pj) for somea_(i)s s. The coefficients a₁s are determined algebraically to retro-fitthe condition Σ_(i=1) ^(|Q|)a_(i)Q_(i)=RI_(Pj). For each Q_(v) where v=1. . . |Q|, the inquirer defines an encryption key (k_(v),a_(v)). Eachelement Q_(v) is then encrypted using (k_(v),a_(v)) to compose theinquiry vector IV_(v); i.e., E(k_(v),a_(v),Q_(v))→IV_(v) for v=1 . . .|Q|.

Upon receiving an inquiry vector, the inquiry handler broadcasts theencrypted inquiry vector to all parties (but not to the responsehandler), and notifies the response handler where to send the summaryresponse. Each party Pi(i=1 . . . n except the inquirer) calls thefunction make_RV(R^(Pi),i) (defined in Step 1 above) to compose itsrating vector V^(Pi) and subsequently make_Response(V^(Pi), IV^(Pk)) tocompose a response vector RV_Pi. Once the rating vector and responsevectors have been constructed, they are transmitted to the responsehandler.

Upon receiving the response from all parties, the response handlercombines the responses to generate a summary response vectorS_IV_(v)=Π_(Pi)RV_Pi. Afterwards, the response handler composes a finalsummary response by adding a random noise S_IV_(v) ^(rnd) to theresponse so that the finalized response becomes S_IV_(v) ^((1+rnd)),where rnd is an “unpredictable” value for each query from a randomnumber generator RND(seed, param-val) with a seed value, and adistribution characterized by the set of statistical parameters definedin param-val over the range of random values [rnd_(min) . . .rnd_(max)]. The finalized summary response S_IV_(v) ^((1+rnd)), togetherwith the information about the random number generator, is transmittedby the response handler to the inquirer Pi.

Upon receiving the encrypted summary response for each IV_(v), theinquirer Pi decrypts the final response using the (1/a_(v))Log_(kv)(•)operator to obtain the unencrypted response R_Q_(v) for the query Q_(v),where v=1 . . . |Q|. After deriving the responses R_Q₁ . . . R_Q_(|Q|),the linear combination Σ_(i=1) ^(|Q|)a_(i)(R_Q_(i))_(j) (an example isshown in Example 1 below under the heading “Construct two queries as alinear combination”) is constructed using the relevant j^(th) entries inR_Q_(i) to obtain a boundary limit for the reputation inquiry RI_(Pj)about Pj.

EXAMPLE 1

An example for the improved peer-to-peer communication is presented.Consider a five-party (P1 . . . P5) environment in which each partymaintains the following rating scores.

Establish Rating Scores

Each of the five parties establishes a rating score wherein each of theother parties is rated. The party does not rate itself.R ^(P1)=(0 2.6 3.7 1.7 6.9)^(T) R ^(P2)=(1.3 0 2.6 5.1 4.7)^(T)R ^(P3)=(3.2 2 4.0 4.3 5.2)^(T) R ^(P4)=(2.7 3.2 4.5 0 2.3)^(T)R ^(P5)=(4.5 4.2 3.1 2.3 0)^(T)

Furthermore, the matrix representation of T₂ ^(T) in make_RV(R^(P2),2)is shown below for illustration purposes:

Column 1 . . . 5 6 7 8 9 10 11 . . . 25 Row 1 0 . . . 0 1 0 0 0 0 0 . .. 0 2 0 . . . 0 0 1 0 0 0 0 . . . 0 3 0 . . . 0 0 0 1 0 0 0 . . . 0 4 0. . . 0 0 0 0 1 0 0 . . . 0 5 0 . . . 0 0 0 0 0 1 0 . . . 0

From these rating scores, a rating vector may be generated by make_RV.An example rating vector for P2 is shown.make_(—) RV(R ^(P2),2)=T ₂ ×R ^(P2)=[0 0 0 0 0 1.3 0 2.6 5.1 4.7 0 . . .0]^(T)

Weighing the Responses

In the present example inquirer P3 solicits the reputation of targetparty P1 from responders by P2 and P5. Then Ri_j=R3 _(—)1={P2 P5} fori=3 and j=1. Further assume inquirer P3 assigns a weighting factor of0.8 to the response of P2 and 0.2 for the response of P5, i.e., w1_(—)2=0.8 and w1 _(—)5=0.2. The reputation inquiry RI_(P1) is thenexpressed mathematically as a 5^(2×1) vector shown below:

RI _(P1)=[0 0 0 0 0 0.8 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0.2 0 0 0 0 ]^(T)

Note that the only non-zero values are wj_k at the n(k−1)+j entry, withn=5, j=1, and k−2,5.

Construct Two Queries as a Linear Combination

In this example, RI_(P1) is expressed in terns of the linear combinationof two queries defined by P3 as shown below:

$Q_{1} = \begin{bmatrix}0.997 & 0.611 & 0.266 & 0.84 & 0.376 \\0.28 & 0.009 & 0.276 & 0.588 & 0.838 \\0.485 & 0.744 & 0.458 & 0.744 & 0.599 \\0.735 & 0.572 & 0.152 & 0.425 & 0.517 \\0.31 & 0.169 & 0.492 & 0.7 & 0.148\end{bmatrix}^{T}$ $Q_{2} = {{\begin{bmatrix}0.204 & 0.125 & 0.055 & 0.172 & 0.077 \\{- 1.092} & 0.002 & 0.057 & 0.12 & 0.172 \\0.099 & 0.152 & 0.094 & 0.153 & 0.123 \\0.151 & 0.117 & 0.031 & 0.087 & 0.106 \\{- 0.225} & 0.035 & 0.101 & 0.143 & 0.03\end{bmatrix}^{T}{where}\mspace{14mu}{RI}_{P\; 1}} = {{0.142 \times Q_{1}} - {0.693 \times {Q_{2}.}}}}$

Encrypt the Two Queries

The queries Q1 and Q2 are encrypted using the encryption keys definedearlier (i.e., k1=2.92, a1=3.1 for Q₁, and k2=3.29, a2=2.9 for Q₂)follows:

${IV}_{1} = \begin{bmatrix}27.42 & 7.624 & 2.421 & 16.294 & 3.485 \\2.535 & 1.03 & 2.5 & 7.05 & 16.159 \\5.007 & 11.829 & 4.578 & 11.857 & 7.315 \\11.492 & 6.696 & 1.655 & 4.106 & 5.572 \\2.8 & 1.753 & 5.124 & 10.222 & 1.632\end{bmatrix}^{T}$ ${IV}_{2} = \begin{bmatrix}2.025 & 1.541 & 1.207 & 1.812 & 1.305 \\0.023 & 1.006 & 1.216 & 1.516 & 1.809 \\1.409 & 1.693 & 1.383 & 1.693 & 1.528 \\1.682 & 1.499 & 1.113 & 1.351 & 1.442 \\0.46 & 1.127 & 1.416 & 1.641 & 1.11\end{bmatrix}^{T}$

Note that the k^(th) entry in IV₁ is 2.92^(3.1·Q1k), where Q1 _(k) isthe k^(th) entry in Q1. Similarly, the k^(th) entry in IV₂3.29^(2.9·Q2k), where Q2 _(k) is the k^(th) entry in Q2.

Action of Inquiry Handler and Responders

After the inquiry handler receives IV₁ and IV₂ from the inquirer, theinquiry handler notifies the response handler that the summary response,when compiled, is to be sent to the inquirer. In addition, the inquiryhandler also notifies P1, P2, P4, and P5 to send the response to theresponse handler. The encrypted vectors IV₁ and IV₂ are then broadcastedto P1, P2, P4, and P5 by the inquiry handler. The inquirer (P3) is theonly party who does not receive the vectors. The functionsmake_RV(R^(Pi),i) and make_Response(V^(Pi), IV^(Pk)) are then called byeach party to compose a response vector RV_Pi for each of the IV_(j),i=1,2,4,5 and j=1,2. To maintain the focus on only the most relevantinformation, only one such response from P2 for IV₁ is shown:

1 1 1 1 1 3.351 1 10.836 2.12E + 04 4.78E + 0.5 1 1 1 1 1 1 1 1 1 1 1 11 1

Actions of Response Handler

After the response handler receives the responses from parties P1, P2,P4, P5, a summary response vector S_IV_(v)=Π_(Pi)RV is generated foreach query (i.e., v=1.2). Different levels of the random noise are thenadded to the response for each query. Below shows an example of thefinal response vectors for the queries:

${{Response}\mspace{14mu}{for}\mspace{14mu}{IV}_{1}} = {{{S\_ IV}_{1}^{({1 + {rnd}})}\left( {{{where}\mspace{14mu}{rnd}} = 0.15} \right)} = \begin{bmatrix}1 & 434.266 & 43.071 & 234.162 & 20076.443 \\4.017 & 1 & 15.49 & 94314.61 & {{3.399\; E} + 06} \\1 & 1 & 1 & 1 & 1 \\1961 & 1093.74 & 13.537 & 1 & 94.033 \\206.266 & {15\mspace{11mu}\ldots\mspace{11mu} 048} & 338.654 & 467.975 & 1\end{bmatrix}^{T}}$${{Response}\mspace{14mu}{for}\mspace{14mu}{IV}_{2}} = {{{S\_ IV}_{2}^{({1 + {rnd}})}\left( {{{where}\mspace{14mu}{rnd}} = 0.13} \right)} = \begin{bmatrix}1.000 & 3.566 & 2.198 & 3.133 & 7.956 \\0.004 & 1.000 & 1.774 & 10.997 & 23.290 \\1.000 & 1.000 & 1.000 & 1.000 & 1.000 \\4.889 & 4.326 & 1.725 & 1.000 & 2.588 \\0.019 & 1.764 & 3.382 & 3.623 & 1.000\end{bmatrix}^{T}}$

Decryption of Summary Response

Upon receiving the response for IV_(v)(v=1,2), the inquirer P3, decryptsthe response using the (1/a_(v))Log_(kv)(•) operator on each element inthe summary response vector S_IV_(v) ^((1+rnd)) (v=1,2), and thefollowing results are obtained:

${R\_ Q}_{1} = \begin{bmatrix}0 & 1.828 & 1.133 & 1.642 & 2.982 \\0.419 & 0 & 0.825 & 3.448 & 4.527 \\0 & 0 & 0 & 0 & 0 \\2.282 & 2.106 & 0.784 & 0.000 & 1.368 \\1.604 & 0.816 & 1.754 & 1.851 & 0\end{bmatrix}^{T}$ ${R\_ Q}_{2} = \begin{bmatrix}0 & 0.368 & 0.228 & 0.331 & 0.601 \\{- 1.612} & 0 & 0.166 & 0.694 & 0.912 \\0 & 0 & 0 & 0 & 0 \\0.460 & 0.424 & 0.158 & 0 & 0.275 \\{- 1.147} & 0.164 & 0.353 & 0.373 & 0\end{bmatrix}^{T}$Let r_q1 _(i), and r_q2 _(i) be the i^(th) entry in R_Q₁ and R_Q₂,respectively, where i=1 . . . 25. Note that only two terms r_q1 _(i) andr_q2 _(i), are relevant to the original inquiry, which are i=6 and i=21.The sum of these terms, Σ_(i=6,21)(0.142·r_q1 _(i)−0.693·r_q2_(i))=2.199 produces an upper boundary limit for the query RI_(P1),which inquires into the reputation of P1 based on the linear combinationof the rating by P2 (i.e., 1.3) with a weighting factor 0.8, and therating by P5 (i.e., 4.5) with a weighting factor 0.2. It should be notedthat Σ_(i=6,21)[(0.142·r_q1 _(i)/1.15)−(0.693·r_q2 _(i)/1.13)] is theexact linear combination of the rating information being sought (i.e.,0.8×1.3+0.2×4.5=1.94), whereas the scaling 1.15 and 1.13 are from(1+rnd) and introduced by the response handler to query 1 and 2,respectively.

EXAMPLE 2

In an experimental study, signature-based intrusion detection alertsover a period of three days from sensors of six subnets were used. Eachintrusion detection sensor was modeled as an agent for cross sharinginformation to develop a holistic view of the security status. Due tosecurity implication, the stake holders of the intrusion detection logspreferred to conceal their identity even though they were interested incross sharing information in their security logs. As such, the proposedprivacy preserving reputation system approach was applied to achieveintrusion detection information sharing.

Over the period of the three-day preliminary study, 4618 alerts weregenerated by the six intrusion detection sensors. 3.68% of the alertshad a source IP indicating an origination from internal, i.e., by thesource and destination IP addresses and ports. Based on the source IPshown in an alert, the Internet Service Provider (ISP) who handled therouting of the traffic originated from the source IP was located. Areverse look up on the country origin of the ISP was then performed.

A total of 16 countries were found in the alerts. The “creditabilityscore” (reputation) of each country was derived based on the potentialthreat of the traffic activities, as grouped by the country originlogged in the alerts. In this experiment, a two-point penalty wasassigned if a destination port is less than 1024, which indicated apotential anomaly of server-side contact as detected by the intrusiondetection sensor. One-point penalty was assigned if the destination portin an alert is above 1024. For each IDS sensor, a threat rating scorefor each one of the 16 countries was derived based on the normalized sumof the penalty points from alerts with a source IP handled by an ISP ofthe corresponding country, whereas the normalization factor was twicethe total number of alerts as generated by the IDS sensor. Thecreditability score of a country was the negative of the threat score.As such, the creditability score of a country, as assigned by an IDSsensor was always between 0 and −1. As seen by an IDS sensor, acreditability score of zero means that the corresponding country has notgenerated network traffic activities, which alarmed the sensor. On theother hand, a creditability score (close to) −1 means that the networktraffic activities originated from a country were considered to haveposed the most serious threat. A 16×1 vector was created by each IDSsensor to maintain the reputation score of the 16 countries, whereas thevector indices are the result of a no-collision hashing taking a countryname as an input.

In this experiment, the participants of the peer-to-peer communicationare the six IDS sensors, and each participant posts two queries to themediator proxies. The objective of each IDS sensor is to determinewhether the cumulative threat as measured by the sum of the threat scoreof the worst three “offenders” (i.e., countries with the three lowestcreditability scores), was typical to other IDS sensors. Although onequery is sufficient, two queries were posted so that an upper and alower boundary can be obtained. In this experiment, a random numbergenerator with a uniform distribution was used by the response handler.The random number generator is used to generate a random value betweenzero and one in dealing with the query, thus resulting in a lowerboundary for the response to the query. Likewise, a random value (>1)was generated for the query. This resulted in an upper boundary for theresponse to the query.

FIG. 3, which is a tabulation of the boundary interval of response,shows the boundary interval of the query response in relation to thethreat score of the inquirer. FIG. 4, which is a tabulation of thecumulative threat of responders, shows the upper (U.B.) and lower (L.B.)boundary of the threat score of each country derived by each IDS sensor,as well as the actual value. FIG. 3 shows the relevancy and accuracy ofthe response, while FIG. 4 shows the degree of privacy preserving of thecreditability score information of each IDS sensor.

Agent-Assistant for Privacy Preserving

FIG. 5 depicts an agent-assistant embodiment for the privacy preservingreputation inquiry. FIG. 5 shows the steps of interaction among theinquirer, the pair of mediator proxies, and the responders using theprevious example, i.e., P1 solicits the reputation of P2 from P3 and P4.The protocol for agent assistant privacy preserving reputation inquiryshown in FIG. 5 and FIGS. 6A-6F, which are a flowchart of reputationinquiry in a peer-to-peer communication environment of the embodimentsof the present invention, includes the following steps:

In FIGS. 6A to 6F an inquirer specifies an inquiry for its agent in step602. Thereafter, the agent derives new inquiry vector(s) algebraicallythat constructs the inquiry as an inquiry vector through some linearcombination in step 604. The agent also defines the encryption key instep 606. In step 610, the agent applies homomorphic encryption toencrypt each element in each of the new inquiry vector(s). The agentsends each element, one-by-one, to the inquiry handler in step 610. Instep 612 the mediator proxy/inquiry handler, upon receiving an inquiry,notifies the response handler to anticipate incoming responses and adestination of the inquirer for the summary response to be sent to. Asshown in FIG. 6C the mediator proxy/inquiry handler broadcasts theencrypted inquiry vector(s) to each peer responder in step 614. In turn,each peer responder generates the response by raising each element ofeach encrypted inquiry vector to the power of the rating score using themake_Response function in step 616 as described below:make_Response(V^(Pi), IV^(Pk))=Π_(j=1) ^(n×n)(k ^(mj))^(vj)

vj is j^(th) entry in the V^(Pi), and k^(mj) is the j^(th) entry inIV^(Pk)

As shown in step 618 each peer responder sends the response to themediator proxy/response handler The mediator proxy/response handler, instep 620, upon receiving the replies for query v, combines the responsesto generate a summary response S_IV_(v)=Π_(Pi)RV_Pi by multiplyingtogether the individual responses RV_Pi from the parties Pis.

In FIG. 6E the mediator proxy/response handler introduces a random noiseS_IV_(v) ^(rnd) to the response so that the final response becomesS_IV_(v) ^(1+rnd) in step 622. Thereafter, in step 624, the mediatorproxy/response handler sends the summary response to the agent of theinquirer using the destination information provided by the inquiryhandler in step 612. In FIG. 6F, the agent decrypts the response uponreceiving the summary response for the encrypted inquiry vector(s) instep 626. As shown in step 628, the agent composes the linearcombination of the response vectors to reconstruct the response vectorto the original inquiry. In step 630 the agent extracts only theneed-to-know boundary limit information to send to the inquirer.

Conclusions

The encryption key is never shared by the inquirer. Without the secretkey, one could not tell from the inquiry vector the specific inquirerwho is the target and who is/are the referee(s). Furthermore, theinquiry handler broadcasts the inquiry to all parties, therebyeliminating the possibility of revealing the identity of the intendedreceiver(s). Consequently, the privacy of the responders and the targetbeing inquired is protected—the first condition of a trustworthymediator proxy described earlier. In addition, the responses from thereferees are unintelligible to other peers and the response handlerbecause the inquiry handler does not share the original encryptedinquiry vector(s) IV_(i). Only the inquirer can decrypt the response asthe secret key holder—the second condition of a trustworthy mediatorproxy. Finally, the introduction of the random noise by the responsehandler eliminates the possibility of the inquirer making multipleidentical inquiries to algebraically re-derive the specific response ofeach individual referee, thereby the privacy of the response of areferee is also protected—the third condition of a trustworthy mediatorproxy.

Although the peer-to-peer communication protocol of the embodiments ofthe present invention delivers the response to a reputation inquiry withan assurance on the stipulated privacy preserving conditions, there is avulnerability that has not yet been addressed. Referring to the ITsecurity example above, there is additional information in the responsevectors R_Q₁ and R_Q₂, i.e., the boundary limit of the ratings of allindividuals by all parties. For example, the inquirer P3 knows thesecond entry in Q₁ is 0.611, or (2.92^(3.1·0.611))^(v12(1+rnd))=434.266(the second entry observed in the response for IV₁, i.e., S_IV₁^((1+rnd)) because k1=2.92, a1=3.1, where v12 is the rating of P2 by P1.In other words, v12(1+rnd)=(log_(2.92) 434.266)/(3.1·0.611), orv12≦log_(2.92) 434.266(3.1·0.611)=2.9924, which is 15% more than theactual rating of P2 and P1 as introduced by the mediator proxy.

The risk of the vulnerability just mentioned is a potential exploit ifthe statistical behavior of the random number generator allows reverseidentification, thus the possible value(s) of rnd. This may allow theinquirer to infer the ratings of all individuals by all parties with acertain level of confidence. Yet the quality of an inquiry responsesuffers if the information about the statistical behavior of the randomnumber generator is concealed excessively. An alternative is anindependent entity acting as an agent on behalf of the inquirer toreceive the encrypted summary response from the mediator proxy and tostrip the additional information in the response vectors prior topassing to the inquirer only the necessary information related to areputation inquiry. One method to strip the additional information inthe response vectors is for the agent to engage the inquirer in acryptographically enabled one-out-of-n oblivious transfer. One-out-of-noblivious transfers are well known in the art. Such a transfer processenables the inquirer and agent to exchange multiple pieces of data, withonly the need-to-know data being decipherable by the inquirer. Theextraneous data is unintelligible to the inquirer.

The embodiments of the present invention present a privacy preservingpeer-to-peer communication protocol for reputation inquiry. It involvesa pair of trustworthy mediator proxies and guarantees three conditions:(1) the anonymity of the identity of the responders and the target beinginquired; (2) the privacy of the content in an inquiry and a response;and (3) the boundary limit of the reputation summary, with nopossibility of combining the response of multiple inquiries to reverseengineer the reputation rating of an individual responder.

An algebraic transformation and an enhanced homomorphic encryption isused to protect inquiry privacy from the threat of a convert channelexisting in any communication process permitting multiple queries. Anexample illustration has been presented to show the mechanism of eachstep and has been used to discuss its strength and its limitation.Finally, the extension of the improved privacy preserving communicationprotocol is described to incorporate agent assistants to ascertain thedelivery of only need-to-know summary response.

While the invention has been described with reference to specifiedembodiments, it will be understood by those skilled in the art thatvarious changes may be made and equivalents may be substituted forelements thereof to adapt to particular situations without departingfrom the scope of the invention. Therefore, it is intended that theinvention not be limited to the particular embodiments disclosed as thebest mode contemplated for carrying out this invention, but that theinvention will include all embodiments falling within the scope andspirit of the appended claims.

What is claimed is:
 1. A method for preserving privacy of a reputationinquiry in a peer-to-peer computer networking communication environmentwith an inquiry handler, a response handler, a plurality of partiesincluding at least one responder, an inquirer, an inquiry target,wherein the responder has a rating score that rates the inquiry target,the method comprising the steps of: generating an inquiry vector aboutthe inquiry target, wherein the inquiry vector has a plurality ofelements and the generating step is performed by the inquirer; applyinghomomorphic encryption, by the inquirer, to each element of the inquiryvector and specifying a corresponding encryption key, thereby producingan encrypted inquiry, wherein the encryption key is known by theinquirer and is not known by the inquiry handler, the response handler,the inquiry target or the responder, the inquiry handler and theresponse handler being separate entities, thereby achieving a separationof duty between the inquiry handler and the response handler; sendingthe encrypted inquiry, across a computer network, to the inquiryhandler; broadcasting the encrypted inquiry to the responder, whereinthe broadcasting step is performed by the inquiry handler, identifyingthe response handler to the responder such that each responder can senda response to the response handler, the step of identifying the responsehandler being performed by the inquiry handler; responding by raisingeach element of the encrypted inquiry vector by a power equal to therating score, thereby generating a response to the inquiry, wherein theraising step is performed by the responder; transmitting the responses,across a computer network, from the responder to the response handler;producing a summary response, wherein the step of producing is performedby the response handler; sending the summary response from the responsehandler to the inquirer; and decrypting the encrypted summary responseusing a decryption key; wherein the step of responding responds byconstructing a rating vector make ₁₃RV(R^(Pi),i)=T_(i)×R^(Pi) whereinR^(Pi) is a vector storing a rating score for each of the parties P_(i),where T_(i) is a transformation matrix of size n²×n for mapping R^(Pi)of size n×1 to rating vector V^(Pi) of size n²×1 with zero padding, andT_(i) ^(T) =[Z_(n×n(i−1)) I_(n×n) Z_(n×n(n−i))]is composed of a zeromatrix of size n×n(i−1), an identity matrix of size n×n, and anotherzero matrix of size n×n(n−i), and then applying a response functionmake_Response(V^(Pi), IV^(Pk))=Π_(j=1) ^(n×n)(k^(mj))^(vj), where vj isj^(th) entry in the V^(Pi), and k^(mj) is the j^(th) entry in IV^(Pk),to raise each element of the encrypted inquiry vector by the power equalto the rating score.
 2. A method for preserving privacy of a reputationinquiry in a peer-to-peer computer networking communication environmentwith an inquiry handler, a response handler, a plurality of partiesincluding at least one responder, an inquirer, and an inquiry target,wherein the responder has a rating score that rates the inquiry target,the method comprising the steps of: generating, by the inquirer, a firstand second query vector about the inquiry target, with respective firstand second elements, wherein the first query vector and the second queryvector may be algebraically combined according to a predeterminedalgebraic operation to form an inquiry vector; applying homomorphicencryption to each first element and each second element of the firstand second query vector and specifying a corresponding first and secondencryption key, thereby producing a first and second homomorphicallyencrypted inquiry, wherein the first and second encryption keys areknown by the inquirer and are not known by the response handler, theinquiry target or the responder, the inquiry handler and the responsehandler being separate entities, thereby achieving a separation of dutybetween the inquiry handler and the response handler; sending the firstand second inquiry vectors across a computer network to the inquiryhandler; broadcasting the first and second homomorphically encryptedinquiry to the responder, wherein the broadcasting step is performed bythe inquiry handler; identifying the response handler to the respondersuch that each responder can send a response to the response handler,the step of identifying the response handler being performed by theinquiry handler; receiving, by the response handler, first and secondresponses from the responder which correspond to the first and secondhomomorphically encrypted inquiries, wherein the responder raised eachelement of the first and second homomorphically encrypted inquiry vectorby a power equal to the rating score; producing, by the responsehandler, a first summary response corresponding to the first responsesand a second summary response corresponding to the second responses;sending the first and second summary responses to the inquirer; andalgebraically combining the first and second summary responses, by theinquirer, according to the predetermined algebraic operation to enablethe inquirer to determine the rating score for the inquiry target asdetermined by the responder.
 3. The method as recited in claim 2,wherein the step of applying homomorphic encryption is performed by theinquirer.
 4. The method as recited in claim 2, wherein the inquirerchooses the first encryption key.
 5. The method as recited in claim 2,further comprising a step of finalizing the first summary response byadding a random noise from a random number generator with a seed valueand the seed value is sent to the inquirer along with the first summaryresponse.
 6. The method as recited in claim 2, further comprising a stepof specifying an agent to act on behalf of the inquirer.
 7. The methodas recited in claim 6, wherein the step of applying homomorphicencryption is performed by the agent.
 8. The method as recited in claim7, wherein the step of sending the first and second inquiry vectorssends the first and second inquiry vectors from the agent to the inquiryhandler.